Vault rekey not revoke previous unseal keys

brokorus · September 19, 2019, 6:30pm

Vault rekeying is not revoking previous unseal keys.

A major use case for rekeying is to revoke previous unseal keys.

Am I doing something wrong?

vault operator rekey -init

(Go through the process using the -nonce value)

After the new keys are generated. I can create another rekey process
The previous unseal keys still function!?!

michelvocks · September 20, 2019, 10:45am

Hi Tyler!

I tested it and for me the old unseal keys were not working anymore.
What Vault version do you use? A small step-by-step guide of what you’ve done would be also quite helpful.

Cheers,
Michel